@anonymous (if you are going to criticize have some balls and leave a name)

"Anyone can ARP spoof to escalate their privileges."

Three thoughts on that1. If you want to read about my two days of scanning and trying things before we went the ARP spoofing option I guess I could have written that up, but its not too interesting. I scanned, tried exploits, boxes were patched, got nothing...wow!

2. If everyone/anyone can do it, it should be fair game on my test

3.There is alot of technology and protocols that can be in place that helps prevent alot of that.

For example most of the ldap hashes we caught were SSL'ed and just came back as jibberish, thats good. We knew there password policy was complex enough that a regular user wouldnt have a password of "password"

Anyway, pentesting isn't always about busting into a box with the latest 0day and hopping thru china and the moon to get access. If you are doing an internal look you need to try some things that an less security savy users may try. Sniffing and arp spoofing is in every hacking book in the world, its reasonable and insider would try that.

Besides, I'd love to hear your methodology or what you'd do when you do you scanning and have nothing but fully patched 2k3 SP2 servers and XP Sp3 clients.

It is not a criticism as I originally pointed out, it was a question that was worded wrongly.

I have been in the same position as you multiple times with fully patched boxes.

I assumed you were using ARP spoofing before following other routes hence the question.

I am slightly against ARP spoofing mainly because of the issues associated with using it on certain networks. Think .gov, .mil etc. Using ARP spoofing brings the men in geek polo shirts and their nasty security people with guns.